Dustin D. Trammell

CSI-SX is the new branding for the CSI NetSec conference, which is co-located with Interop Las Vegas, and is essentially the security-focused portion of the overall conference. As with the annual CSI conference, this conference targets a different demographic than I’m used to speaking for as the attendance is usually comprised of very large enterprise and government employees and I usually speak for conferences targeted at the research and hacker communities.

The night before the first day of conference sessions a speaker reception was held which I attended. I met a number of people from the conference staff whom I had not met before as well as a few of the other speakers. Surprisingly I was well-received by this crowd, even with my spiked green hair, which I’m sure they don’t see a lot of at this type of conference.

Below are my thoughts on the couple of talks I was able to attend.

Read the rest of this entry »

The ToorCon organization puts on some of the best conferences in my opinion, and this last weekend was version 1.0 of their Seattle conference (beta was last year, which I also attended). Friday night was entirely 5-minute lightning talks and then Saturday was entirely 20-minute turbo talks. Sunday was workshops, which unfortunately I could not attend since I had to fly back to Austin mid-day. Last year was invite only and if you were there last year you received a coupon code for a discounted rate this year ($300), otherwise it was a little expensive to attend ($1000). Overall there were a number of excellent speakers with excellent content.

Due to the sheer number of talks (and I did see all of them), I’ll only cover the ones I found most interesting below:

Read the rest of this entry »

I have long been fascinated with self-given names, and the effect they have on the entity being named. Having grown up with my roots firmly planted in the computer underground, I regularly met and dealt with people identified only by their self-given handles (pseudonyms). I soon began to notice that many of these people seemed to embody traits and mannerisms that coincidentally aligned with the character assumptions and mental imagery that their handle’s subject-matter embodied. After a while I began to wonder, did these personal traits cause the person to name themselves in a certain way, or did naming oneself a certain name begin to manifest such  corresponding traits in the individual? I’ve done some preliminary research into this subject, however I’m not quite ready to release my results… that’s a discussion for another time. Instead, today I want to comment on an observation regarding an entity of another type; a corporation.

Read the rest of this entry »

Today, my research paper entitled “Context-keyed Payload Encoding” was published in Uninformed Journal vol. 9. If you’re into cutting-edge exploitation technology, you should check it out. This is the research I presented at ToorCon 9 last October.

Having recently played most of the way through Metroid Prime 3: Corruption, I came across an interesting security mechanism in the game that I haven’t really seen paralleled in the real world. During the latter part of the game where the player travels to the Space Pirate home-world, the player receives a suit upgrade which allows the HUD of their visor to go into an X-Ray mode and see through most obstacles. An interesting property of this visor is that it allows the values on the buttons of a combination lock’s access panel to be obscured from normal view. When viewed via the X-Ray visor, the values of the buttons can be read:

That’s not the bit that struck me as novel, however. The interesting bit to me was that once the player uses the X-Ray visor to see the values of the buttons on the panel, whenever a button was pressed to enter it’s value, the remaining buttons’ values were randomized:

Now, the obvious flaw in the game’s locking mechanism is that the combination is displayed alongside the buttons; the “key” to the lock is essentially possession of the X-Ray visor. In the real world, the combination is generally secret and must be stolen, guessed, or brute-forced. A lot of mechanical brute-force attacks against combination locks using button pads, letter or number dials, disks, etc. depend on the values of those components to be a mechanical constant of the system. If this is true, the brute forcing device can ensure that once it has tried a particular combination of values that it does not try them again and can therefore progressively eliminate the failed combinations that it has already tried. The locking system used in the game denies an attacker that mechanical constant by randomizing the button values after every button press, so unless the attacking mechanism can dynamically determine the values of the buttons prior to each button press, it will likely never succeed in brute-forcing the combination to the lock.

In addition to the brute-force attacks, many intelligent guessing methods other than directly observing which values a user presses rely on observing the approximate locations of a user’s fingers and motion of the hand as they press the buttons. A more forensic approach involves identifying button wear or dusting the keypad for fingerprints to identify which buttons are commonly pressed or were used in a recent authentication. Randomizing the button values either after every button press or after each authentication attempt also defeats both of these types of attacks. In the first case, the button values are not predictable for the period of time in which they were observed being pressed. In the second case, button wear should be uniform across all buttons due to the randomization of values, and fingerprints left on the keypad will no longer be associated with the correct button values at the time of dusting.

I personally haven’t seen any key-pad combination lock manufacturers create anything like this in real life, and after some fairly extensive searching of the web I didn’t come across any products that do this. It would appear that Space Pirates have a thing or two to teach us about physical security.

[EDIT: Apparently, IBM holds a patent on exactly this idea. I wonder if they'll sue Nintendo for virtual patent infringement...]

My second Microsoft Patch Tuesday at the new employer was fairly uneventful. This Tuesday there was only one patch rated critical, MS07-061, and as it turns out it was the bug that I had already worked on last week. Essentially all I had to do was update my strikes from last week with the new reference and rename them, and our team was essentially done. You can read the details about the patched vulnerability over at the BreakingPoint StrikeCenter blog.

CSI 2007 was the first time I’ve ever attended a CSI conference. I was actually a CSI member way back in the day when I was running my own consulting firm and needed as many business development avenues to explore as possible, but after closing my consultancy and going back to work for The Man(tm) I didn’t keep up my membership as I really wasn’t getting much out of the organization at that point. For some reason I had never attended any of their conferences. The CSI Annual Conference is billed as “The leading management, strategy and policy event for today’s security professionals”, so it’s a very different conference from what I’m used to. While I generally attend the more technical events, this one was targeted at an entirely different demographic. There was a lot of large enterprise and government presence, and I got plenty of scowls as people noticed my green hair, but in the end I believe I won most of them over…

The evening of my talk there was also a Capture the Flag game. Unfortunately I wasn’t aware of this until I ran into Dave Aitel that evening and he told me about it, or I would have had my laptop with me and been prepared to compete. This game was essentially a race through various goals with clues and hints along the way. The guy that won achieved the final goal at just under 2 hours. One potential vulnerability that I pointed out to the event organizers was that most of the information was given away to the audience in the observation room near the start of the competition, and had the competition not been 3 floors underground where there was no cellular signal, I could have easily relayed the information to Dave’s mobile via SMS or AIM or something. Had we had some other form of local wireless communication, cheating would have been trivial. Perhaps next time they’ll not give away so much information at the beginning to the audience…

Below are my thoughts on the couple of talks I was able to attend. Unfortunately I was only there for the one day that I was speaking and I was busy preparing to speak and recording a shorter version of my talk to actually attend many of them.

Read the rest of this entry »

ToorCon is always one of my favorite conferences of the year, and this year was no different. Actually, I take that back, it WAS different, it was even better than usual. I got something out of almost every talk that I attended, and the conference ran very smoothly. The conference is small and intimate and the speaker badges are green… I really can’t ask for much more. This year the conference was split between the two days; the first day being traditional hour-long presentations whereas the second day took the cue from ToorCon Seattle (beta) and was entirely 20-minute turbo talks. I thought the conference format worked out really really well and provided a much larger breadth of subject-matter than would normally have been possible with entirely traditional-length talks.

Below are my thoughts on the various talks I attended.

Read the rest of this entry »

Last week was Microsoft Patch Tuesday, and for once it actually affected me directly. The team I am part of at my new employer is responsible for reversing out patches such as these, determining the vulnerability that was patched, and developing ways to exploit or otherwise attack the software. From the advisories that were released, I ended up with ms07-055 which detailed a stack overflow in the Kodak Image Viewer which was used as the default image handling application on Windows 2000 systems. After spending most of Tuesday setting up VMWare and installing some tools like IDA Pro and BinDiff, I was able to get started.

Read the rest of this entry »

Today I stepped into a new role as a Security Researcher for BreakingPoint Systems. I will be working with the team that handles the security component of the flagship product, the BPS-1000, which is a load and security testing appliance used to test network devices such as switches, firewalls, and the types of products my previous employer produces, Intrusion Prevention (or Detection) Systems. For the most part I’ll be developing “strikes”, which are essentially attacks and exploits packaged in such a way that the product can launch them and verify whether or not the device under test has properly blocked or otherwise handled the offensive traffic. It’s a welcome change to move over to the offensive side of the game again, which is really where I’m most comfortable.